Steam user database compromised

Brian Ambrozy 10 Nov, 2011 at 5:40pm ET Article published in Gaming

Today a message will be going out to all Steam users. According to Valve, the Steam forums were compromised on November 6th, but further investigation revealed that the damage went further than just the forums: The Steam user database was also compromised. The email from Valve’s founder Gabe Newell:

Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

While there is no evidence that passwords and credit card information have been compromised, with the state of encryption cracking, it should only be a matter of time (and horsepower). This would be a very, very good time to change your Steam passwords (SideQuesting has an easy-to-follow guide), watch your credit card statements, and enable two-factor authentication on your Steam account (and your Google account as well, if you use Gmail for anything). To enable two-factor authentication in Steam, go to “Settings” and you’ll find instructions under the “Account” section.

Comments

10 Nov 2011 ~ 5:43pm Ilriyas Well that's always fun isn't it?

Thanks for putting that up Prime I don't check my email enough to catch something like that.

Just changed my passwords, hope they get everything fixed up soon.
10 Nov 2011 ~ 5:48pm Jokke

primesuspect wrote:

Today a message went out to all Steam users

I've recieved no such thing. Does that mean it doesn't apply to me?
10 Nov 2011 ~ 5:52pm Basil

Jokke wrote:

I've recieved no such thing. Does that mean it doesn't apply to me?

Same, though I've never used steam forums so perhaps that's it?
10 Nov 2011 ~ 5:55pm Thrax Everyone should change their password, no matter what they have or have not done with the service.
10 Nov 2011 ~ 5:56pm Jokke I did, I also deauthorised all other machines than the one I'm on now. I just want to know if I should withdraw all my cc cash.
10 Nov 2011 ~ 6:01pm primesuspect The press got the letter first. I imagine all users will be notified shortly.
10 Nov 2011 ~ 6:11pm Koreish Steam cannot currently process my request?
10 Nov 2011 ~ 6:13pm Ilriyas

Koreish wrote:

Steam cannot currently process my request?

I herped and then I derped.

My guess, everyone's caught wind of this and the password change requests are overloading whatever capability Steam's servers have for managing that sort of thing.

That or its just Steam being Steam, the amount of those messages I get in a month is ridiculous.
10 Nov 2011 ~ 7:38pm Lauren The uh, credit cards and passwords will never be cracked if steam used a real encryption system. It's not a question of having enough power, it's that modern encryption methods are incredibly strong and use cyphers that have never been cracked. Credit card numbers get stolen online from either neglecting to properly store this data (and by doing so break the law, unlikely in the case of a company like Steam which I am sure gets audited), or by capturing the data before it reached the db.
10 Nov 2011 ~ 7:54pm primesuspect Fair enough, Lauren. However, users should still definitely change their passwords.
10 Nov 2011 ~ 7:55pm Matt Lauren's correct, "it should only be a matter of time (and horsepower)" is ignorant and fear mongering. Even a token effort to read up on modern cryptography would have been enough to inform you that the time taken to brute-force the encryption Valve is using is on the order of a few trillion years.

tl;dr: You're wrong.
10 Nov 2011 ~ 7:56pm Thrax This is all assuming Steam implements proper security algorithms. And I think all the big hacks in the media these last 24 months have shown that you can never be sure of that.
10 Nov 2011 ~ 8:05pm shwaip Who knows what they actually got. If they got a list of hashed passwords, then they can run the hashed list against a rainbow table. Because they have a lot of passwords, it probably wouldn't be too hard to figure out any salt that they added to the hash. :/
10 Nov 2011 ~ 8:20pm Protektor It is law in the US now that they will have to notify by email every single customer because they can't prove who's info was taken and who's wasn't. I believe they have 72 hours to notify customers, I think. I know there is some time limit they have to notify every customer by because of this law.
10 Nov 2011 ~ 8:28pm Jeff Lauren is half-right. The credit card data should not crackable. The only way this would happen is if the private key was accessed. This is possible depending on the way Steam implemented its credit card storage since you could use your credit card without passing a special passphrase, but it could have been implemented in such a way that this would be quite difficult.

The passwords are much more likely to be crackable. They are not actually encrypted. Passwords are stored as a cryptographic hash. Valve doesn't tell us which hash was used, but if it was MD5, which is somewhat likely, all but the securest (i.e., longest) passwords will probably be compromised. If it was something more secure, a good password should still be safe.
10 Nov 2011 ~ 8:31pm Rodrigo I'll second that, no way can an encrypted credit card number be cracked.
10 Nov 2011 ~ 9:05pm Koreish Kids all we're saying is be safe alright?
10 Nov 2011 ~ 9:16pm Kwitko I changed my Steam password from password to password1. I'm ultra-secure now!
10 Nov 2011 ~ 9:17pm Ilriyas

Koreish wrote:

Kids all we're saying is be safe alright?

I just took it at face value and changed everything, I've had my personal info stolen before when I was younger even precautionary I'm going to go to lengths to make sure it doesn't happen again.

No need to argue what was effected, just change your passwords as a precaution.

Be proactive, not reactive.
10 Nov 2011 ~ 9:21pm Pete If you want to know if something can be 'cracked' (that is to say, if the encryption is reversible) then the answer is usually 'yes'. The question is: will it be cracked?

There are many methods to generate an encrypted password hash. The old standard is to use a hash function (such as MD5, SHA1, etc) combined with a salt. This makes it difficult to simply look up the precomputed value of the hash - but not impossible. Considering the incredible speed one can compute the older hashes like MD5 and SHA1, it's perfectly feasible to crack these in days if not hours with a modest amount of CPU/GPU power.

However, there are more modern hash functions such as bcrypt and pbkdf2 which take much much longer to create a hash. The result is it takes much much longer to attempt to crack it. They're not very widely used right now, but their popularity is increasing as more password databases get compromised. It's very unlikely the Steam database was built with one of these hashes in mind.

I don't know how they encrypt or store their credit card data, but one thing's for sure: it has to be reversible for them to decrypt it and process your payment. Thus it's only a matter of cracking the key - which again, depends on the ciphers used, the key length, etc. Is there only one private key protecting all the credit card data? If so, it may be worthwhile to attempt to brute force the entire key. All that really matters is computing power and time. If you're lucky it's complex and large enough that they'll never feasibly be able to crack it.

So how about it, kid? Do you feel lucky?
10 Nov 2011 ~ 9:42pm Kwitko

Pete wrote:

So how about it, kid? Do you feel lucky?

QFT. Really, people, what's the big deal to change your password? It takes all of 10 seconds.
10 Nov 2011 ~ 9:45pm Ilriyas

Kwitko wrote:

QFT. Really, people, what's the big deal to change your password? It takes all of 10 seconds.

Honestly I've been thinking the same thing.
10 Nov 2011 ~ 11:37pm Straight_Man Yep, just change your passwords every couple months.
11 Nov 2011 ~ 2:08am Jeff >If so, it may be worthwhile to attempt to brute force the entire key.

I just want to clarify that it is not really feasible for an individual to brute force anything that has been encrypted with standard asymmetric cryptography techniques. Nothing is possible if they don't have the secret key file. If they do, and it's encrypted like it should be, then the attacker will have to guess the symmetric key used to encrypt the secret key ("passphrase"). This is much more plausible than brute-forcing a key from scratch but it should still be safe if a good passphrase was used.

The data may have been encrypted symmetrically using something like AES or Blowfish. In this case, as in the case of the encrypted secret key, it's much more plausible to crack if a bad passphrase was used, but should be safe if a good passphrase was used. Symmetric encryption is somewhat likely since it would have simplified the automated process of unlocking credit card data.

If someone has your credit card info, it's not so simple as changing your password.

I hope and expect that someone at Valve will provide more technical detail soon.
11 Nov 2011 ~ 3:34am storrm i made a steam account on the 3rd :/ lol
11 Nov 2011 ~ 3:47am â¬¡ Sounds like Steam is generally Doing It Rightâ„¢, except why aren't they requiring password changes? Even if the passwords are hashed, they're still at risk.
11 Nov 2011 ~ 6:07am john ACtually the comment aqbout the encryption never being cracked is potentially total rubbish. It all depends on how the passwords are salted - but given the short length of the steam issued passwords a rainbow table attack would be highly effective - in fact i probably have the required rainbow tables sat on my machine at home.
11 Nov 2011 ~ 6:40am masterchen CEO Gabe's e-mail indicates that he has handled this issue responsibly. Way more responsible than a lot of other compromised companies in the news.
11 Nov 2011 ~ 7:13am Fra If they had access to Valve systems they could have - in the last days/weeks - sniffed the secret keys used to decrypt the CCs data.

How did they get the Steam Database if they only owned the forum?

They could have sniffed the last payments.
11 Nov 2011 ~ 8:41am Otto A little bit of investigation would have given the answers needed for this discussion.

What was "hacked" was the Steam forums.

The Steam forums are powered by vBulletin.

Unless they changed the defaults, the vBulletin password hashes are stored using this method:
$hash=MD5(MD5($password)+$salt)

So if you used a dictionary word or a variant of one on the Steam Forums, then it can be pretty easily cracked.

Main danger here: If you used the same password on the Steam Forums as you used elsewhere, then hackers can get into your other accounts. Don't use the same password on different systems!

Likelihood of them getting credit card information is minimal. Same with your actual Steam account, unless you used the same password on there and don't have the SteamGuard two-factor authentication turned on.

If you have never set up an account on the Steam Forums, then don't worry about it.
11 Nov 2011 ~ 9:06am Mike My password is a long random string of characters, unique to the Steam service. An attacker wouldn't be able to brute force it even if they were using MD5 with no salts. And even if they did, all they'd get access to is my Steam account, not any other accounts.

I also gave Steam a unique email address, which I've never used anywhere else, so if I start to get spam on it, I can just drop it and use a new one.

More people really should start using these basic precautions.
11 Nov 2011 ~ 9:10am PirateNinja I've NEVER had this problem with Origin.
11 Nov 2011 ~ 11:46am Kwitko trollolol?
11 Nov 2011 ~ 12:42pm Chooch I heard GLaDOS did it.
11 Nov 2011 ~ 12:49pm Linc I wonder if they're ready to switch to Vanilla.

Too soon?
11 Nov 2011 ~ 3:48pm Martin "While there is no evidence that passwords and credit card information have been compromised, with the state of encryption cracking, it should only be a matter of time (and horsepower)."

What a terribly uninformed statement. Assuming they did the obvious thing and encrypted the information in AES-256, it's not a matter of time or horsepower, it's a matter of ridiculous improbability with respect to the availability of energy. Any viable attacks on AES will not lower it's complexity anywhere close to enough. http://www.schneier.com/blog/archives/2009/09/the_doghouse_cr.html
11 Nov 2011 ~ 4:02pm Thrax

martin wrote:

Assuming they did the obvious thing

It's almost like you haven't read any of the news the last two years where companies did the exact opposite with millions of credit card numbers. Let's start with Sony PSN and work our way backwards, shall we?
11 Nov 2011 ~ 4:06pm Canti Reading all this makes me feel like the hacker has gained a billion keys to try on one lock and Valve has suggested changing the lock on the very off chance they use the right key. Because of this many of you are discrediting the suggestion simply because of how unlikely it is they find the right key.
11 Nov 2011 ~ 4:09pm primesuspect I stand by my statement: A determined enough hacker (or group, or organized crime organization) can, given enough time, crack encryption. Change your passwords.
11 Nov 2011 ~ 4:40pm Cliff_Forster

primesuspect wrote:

I stand by my statement: A determined enough hacker (or group, or organized crime organization) can, given enough time, crack encryption. Change your passwords.

^^^This^^^
11 Nov 2011 ~ 5:17pm ardichoke

primesuspect wrote:

I stand by my statement: A determined enough hacker (or group, or organized crime organization) can, given enough time, crack encryption. Change your passwords.

The real problem with this statement, however, is that the two things are unrelated. The encryption most other people are talking about cracking is the encryption used on the credit card numbers. Changing your password won't help that.

Yes, you should change your password because passwords can be brute forced, though it is more difficult as Valve was hashing and salting the passwords (as they should be).

No, a determined enough hacker (or group or organized crime organization) does not have the ability to crack passable modern encryption, provided that Valve was using such methods (as they have claimed). Still, you should keep an eye on your credit card account just in case, but then again you should be doing that anyway.

The two things are completely unrelated though.
11 Nov 2011 ~ 5:30pm Cliff_Forster Two suggestions for online shopping.

I'd recomend to use a major credit card if you can vs. your check card. By time it's due, you sign an affidavit if something stinks, and it never impacts you.

Also, register that card to paypal and use paypal for everything you pay for online. It gets your card onto a single server vs. every vendor you use to minimize risk.
11 Nov 2011 ~ 5:41pm NiGHTS Larger banks like Bank of America offer safeshop alternatives to create credit card numbers with spending limits on them that stay active for a period of time you are able to set.

For instance, you could theoretically set up a Steam credit card with a $100 limit, an Amazon card with a $200 limit, and a third card with a $50 limit.

It's a pretty neat way of keeping your daily credit cards safe without exposure to the world wide wibbles.
11 Nov 2011 ~ 9:20pm Jeff primesuspect, you are again conflating the issues here. Given enough time, a person can probably crack a hash. This means your password may be exposed. Cryptographic hashes are NOT what is meant by "encryption", so pleased stop applying the term that way -- encryption is only applicable to reversible methods (i.e., something that can be decrypted if you have the keys).

They cannot crack standard encryption standards via brute force. They could not do it if they had all the commodity computers in the world. It takes specially-designed chipsets that are extremely expensive to crack this kind of encryption. The government probably has some, but these are not foolproof; they can only crack keys of insufficient length and they can only do this if they decide you're a "national security" level interest.

The only way the hackers will get that credit card data is if they also got the secret keys, which is not impossible considering that Steam reversed the encryption automatically when you wanted to buy something. But they cannot brute force it given any amount of computing power if it was encrypted properly.
11 Nov 2011 ~ 9:31pm PirateNinja Oh please Jeff guest, nobody is arguing the Von Neumann-Landauer limit. Prime didn't say they could get at it with brute force.
He is only offering sound advice based on the ONLY fact that we know, which is that nobody here knows exactly what happened or exactly how Valve's systems were setup. Sometimes you don't need to hack encryption to get around it.

Changing your password is a good idea, arguing on the Internet isn't. I did both today, so I guess I'm not credible.

And yes Kwitko, trololol.
11 Nov 2011 ~ 10:38pm TheAlertHusky Oh god not again. All of my accounts have been getting this kind of thing happening to them (Combat arms, xbox, youtube and more). Thanks for posting this though Prime!
12 Nov 2011 ~ 1:53pm progste and this happened 5 days before i joined steam (guess why =P) so i consider myself lucky XD
14 Nov 2011 ~ 10:57am Jokke Well, somehow my bank knows about this, and has blocked my card as a precaution. Too bad the waiting time for a new one is two weeks, meaning two weeks without any access to any of my accounts. Time to whip out the emergency card.